From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=192.55.52.120; helo=mga04.intel.com; envelope-from=jiewen.yao@intel.com; receiver=edk2-devel@lists.01.org Received: from mga04.intel.com (mga04.intel.com [192.55.52.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id D069522489C88 for ; Fri, 16 Mar 2018 00:18:12 -0700 (PDT) X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from fmsmga003.fm.intel.com ([10.253.24.29]) by fmsmga104.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 16 Mar 2018 00:24:36 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.48,313,1517904000"; d="scan'208";a="34356086" Received: from fmsmsx103.amr.corp.intel.com ([10.18.124.201]) by FMSMGA003.fm.intel.com with ESMTP; 16 Mar 2018 00:24:36 -0700 Received: from fmsmsx151.amr.corp.intel.com (10.18.125.4) by FMSMSX103.amr.corp.intel.com (10.18.124.201) with Microsoft SMTP Server (TLS) id 14.3.319.2; Fri, 16 Mar 2018 00:24:36 -0700 Received: from shsmsx104.ccr.corp.intel.com (10.239.4.70) by FMSMSX151.amr.corp.intel.com (10.18.125.4) with Microsoft SMTP Server (TLS) id 14.3.319.2; Fri, 16 Mar 2018 00:24:36 -0700 Received: from shsmsx102.ccr.corp.intel.com ([169.254.2.80]) by SHSMSX104.ccr.corp.intel.com ([169.254.5.226]) with mapi id 14.03.0319.002; Fri, 16 Mar 2018 15:24:05 +0800 From: "Yao, Jiewen" To: "Ni, Ruiyu" , "edk2-devel@lists.01.org" Thread-Topic: [PATCH] MdeModulePkg/DxeCapsuleLibFmp: Add more check for the UX capsule Thread-Index: AQHTvPU3CkQ+m4LGL0mgowIn8U8JwqPSdY5A Date: Fri, 16 Mar 2018 07:24:04 +0000 Message-ID: <74D8A39837DF1E4DA445A8C0B3885C503AB01E26@shsmsx102.ccr.corp.intel.com> References: <20180316070543.357716-1-ruiyu.ni@intel.com> In-Reply-To: <20180316070543.357716-1-ruiyu.ni@intel.com> Accept-Language: zh-CN, en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-titus-metadata-40: eyJDYXRlZ29yeUxhYmVscyI6IiIsIk1ldGFkYXRhIjp7Im5zIjoiaHR0cDpcL1wvd3d3LnRpdHVzLmNvbVwvbnNcL0ludGVsMyIsImlkIjoiNzQwY2MzN2YtYzczZC00NzliLTlkZDctNDkxN2RjMGI1YmVhIiwicHJvcHMiOlt7Im4iOiJDVFBDbGFzc2lmaWNhdGlvbiIsInZhbHMiOlt7InZhbHVlIjoiQ1RQX05UIn1dfV19LCJTdWJqZWN0TGFiZWxzIjpbXSwiVE1DVmVyc2lvbiI6IjE3LjIuNS4xOCIsIlRydXN0ZWRMYWJlbEhhc2giOiI0eEhEUlNINXlpYnkwaDlsRjk2UURXVDVuRjRsY3lIZ01saXdicTdjT3k1RGVhSDlzS2k0d0t3bzhZa3owYk9GIn0= x-ctpclassification: CTP_NT dlp-product: dlpe-windows dlp-version: 11.0.0.116 dlp-reaction: no-action x-originating-ip: [10.239.127.40] MIME-Version: 1.0 Subject: Re: [PATCH] MdeModulePkg/DxeCapsuleLibFmp: Add more check for the UX capsule X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 16 Mar 2018 07:18:13 -0000 Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Reviewed-by: jiewen.yao@intel.com > -----Original Message----- > From: Ni, Ruiyu > Sent: Friday, March 16, 2018 3:06 PM > To: edk2-devel@lists.01.org > Cc: Yao, Jiewen > Subject: [PATCH] MdeModulePkg/DxeCapsuleLibFmp: Add more check for the > UX capsule >=20 > Contributed-under: TianoCore Contribution Agreement 1.1 > Signed-off-by: Ruiyu Ni > Cc: Jiewen Yao > --- > .../Library/DxeCapsuleLibFmp/DxeCapsuleLib.c | 21 > +++++++++++++++++++-- > 1 file changed, 19 insertions(+), 2 deletions(-) >=20 > diff --git a/MdeModulePkg/Library/DxeCapsuleLibFmp/DxeCapsuleLib.c > b/MdeModulePkg/Library/DxeCapsuleLibFmp/DxeCapsuleLib.c > index 15dbc00216..555c5971d0 100644 > --- a/MdeModulePkg/Library/DxeCapsuleLibFmp/DxeCapsuleLib.c > +++ b/MdeModulePkg/Library/DxeCapsuleLibFmp/DxeCapsuleLib.c > @@ -330,8 +330,25 @@ DisplayCapsuleImage ( > UINTN Width; > EFI_GRAPHICS_OUTPUT_PROTOCOL *GraphicsOutput; >=20 > - ImagePayload =3D (DISPLAY_DISPLAY_PAYLOAD *)(CapsuleHeader + 1); > - PayloadSize =3D CapsuleHeader->CapsuleImageSize - > sizeof(EFI_CAPSULE_HEADER); > + // > + // UX capsule doesn't have extended header entries. > + // > + if (CapsuleHeader->HeaderSize !=3D sizeof (EFI_CAPSULE_HEADER)) { > + return EFI_UNSUPPORTED; > + } > + ImagePayload =3D (DISPLAY_DISPLAY_PAYLOAD *)((UINTN) CapsuleHeader + > CapsuleHeader->HeaderSize); > + // > + // (CapsuleImageSize > HeaderSize) is guaranteed by IsValidCapsuleHead= er(). > + // > + PayloadSize =3D CapsuleHeader->CapsuleImageSize - > CapsuleHeader->HeaderSize; > + > + // > + // Make sure the image payload at least contain the > DISPLAY_DISPLAY_PAYLOAD header. > + // Further size check is performed by the logic translating BMP to GOP= BLT. > + // > + if (PayloadSize <=3D sizeof (DISPLAY_DISPLAY_PAYLOAD)) { > + return EFI_INVALID_PARAMETER; > + } >=20 > if (ImagePayload->Version !=3D 1) { > return EFI_UNSUPPORTED; > -- > 2.16.1.windows.1